Blog

Patching AIX from the command-line

Many people use SMIT when updating AIX and/or NIM but do not realise that they can also do this from the command-line using two IBM-supplied sctripts. Patches downloaded from Fix Central should all be in one directory e.g. “6100-08-02-1316”.

Change to the directory containing the patches and ensure that it is writeable, so inutoc can create/update the index, all that the files are readable by root.

splitvg [ -y SnapVGname ] [ -c Copy ] [ -f ] [ -i ] VGname
This splits a single mirror copy of a fully mirrored volume group into a snapshot volume group. The original volume group VGname will stop using the disks that are now part of the snapshot volume group SnapVGname.

This method can also be used to split-off copies of one or more logical-volumes.

Splitting copies of a logical volume

The splitlvcopy command splits copies from one logical volume and creates a new and separate logical volume from them. The general syntax of the splitlvcopy command is as follows:

To split one copy of each logical partition belonging to the logical volume named “oldlv” which currently has 3 copies of each logical partition, and create the logical volume “newlv”, use the splitlvcopy command as follows:

# splitlvcopy -y newlv oldlv 2

Each logical partition in the logical volume “oldlv” now has two physical partitions.
Each logical partition in the logical volume “newlv” now has one physical partition.

Mirroring is an LVM task that you perform only on logical volumes to migrate data. The following example shows how to create a mirror copy of a logical volume using the mklvcopy command:

# mklvcopy -e m -s y -k datalv 2 hdisk3 hdisk7

.

.

# splitlvcopy -y splitlv datalv 1

Once you have a split copy you can mount the filesystem elsewhere and back it up whilst the original is still being updated. Once finished you simply join the LV or VG and the mirrors are re-synced automatically.

Blog

Importing a new Volume Group

Accidentally importing a disk that has a root volume group can have disasterous results on your AIX system because it renames the logical-volumes required to boot your system, therefore you should know something about a disk or disks before you attempt to import them.

Here are some handy LVM commands that help you to see what is on a disk(s) without importing:

List the maximum number of logical volumes allowed in the VG
# lqueryvg -p PVname -N

Blog

Installing RPMs

Installing RPMs in AIX can be a real pain and a lot of time can be spent looking for the dependant packages etc. This is a quick tip which enables you to see a package’s contents and dependencies without having to try to install it:

To see some background information:

# rpm -qpi ./sudo-1.8.9p5-1.aix5.1.ppc.rpmName : sudo Relocations: (not relocateable)
Version : 1.8.9p5 Vendor: (none)
Release : 1 Build Date: Thu Feb 6 14:46:56 CET 2014
Install date: (not installed) Build Host: aix51.perzl.org
Group : Applications/System Source RPM: sudo-1.8.9p5-1.src.rpm
Size : 1571387 License: BSD
URL : http://www.courtesan.com/sudo/
Summary : Allows restricted root access for specified users
Description :
Sudo (superuser do) allows a system administrator to give certain
users (or groups of users) the ability to run some (or all) commands
as root while logging all commands and arguments. Sudo operates on a
per-command basis. It is not a replacement for the shell. Features
include: the ability to restrict what commands a user may run on a
per-host basis, copious logging of each command (providing a clear
audit trail of who did what), a configurable timeout of the sudo
command, and the ability to use the same configuration file (sudoers)
on many different machines.

Adding the “–changelog” argument also lets you see all the author’s publising information:

Blog

An interesting LDAP feature

Many people use LDAP to store vital information such as usernames and passwords, and sudo rules, and this information should always protected as much as possible. The ideal soltion is to configure Secure LDAP and have all your traffic encrypted using a certificate. The problem is that you have to start somewhere and it is always easier to start with the most basic configuration, and add functionality as you go.

The easiest and supported method for configuring an AX server as an AIX client is to use themksecldap command. This method not only configures the “/etc/ldap/ldap.cfg” configuration file, it tests the actual connection and adds an entry to the “/etc/inittab” which ensures that LDAP starts during boot.

According to IBM this password has been salted and the file cannot be copied to another system, however this is not the case as you can actually create a single file and copy it to all your hosts, and just add the entry to “/etc/inittab” and this gives you a really quick way to build a test environment, however what happens if you want to change the password, or make every host bind using a different name?

The convential wisdom is to create an account that matches the hostname of each server. This works nicely but if you want to do this you also need to run mksecldap on each host, or do you?

If you are sticking to one user for all and just want to change the password you can simply runmksecldap on one host, disctribute the “ldap.cfg” and restart the daemons, however you create a new password by running:

# /usr/sbin/secldapclntd -e <new-password>

and then append this to the “bindpwd:” entry and recycle the daemon. The interesting part is that this new password is SALTED and so cannot be copied to another system, which means if you want to script this, it has to run on each target machine.

Note: If you are testing/are unsure about a password you can simply enter the plain-text, restart the daemon, and this will also work, but should obviously be repaced ASAP.

The other thing to consider is that if your LDAP server(s) is not available during boot, your AIX server will hang. It is therefore worth considering replacing “wait” with “once”.

Recent blogs

IBM quietly added a firewall capability (known as ipfilters) to AIX 6.1, however they did not do a particularly good... Read more

References

Yamaha Motor Europe

SystemScan AIX helped us to quickly and easily scan our system configuration. Understanding our environment allowed us to manage it better to identify problems and potential knowledge gaps.

Yamaha Motor Europe has a complex mission critical clustered system which makes it vital for us to maximise efficiency and minimise downtime.

- Kees Trommel, IT manager

Vesting Finance

Vesting Finance runs 6 systems which need to be in sync and up to date. SystemScan AIX helps our support team to regularly scan and check our systems for consistency and to reduce maintenance time and cost.

Prevention is better than cure.

- Wesley Goedegebuure, teamleader ICT

About SystemScan AIX

Consists of a single RPM that can be installed on AIX 5.3, 6.1, or 7.1. It also has separate modules for HMC/IVM, and VIOS, that can be run from cron and silently produce system configuration reports that can then be transferred to another server for analysis.